[oe] [meta-oe][scartgap][PATCH 3/4] imagemagick: Fix CVE-2026-23876

Tue, 17 Feb 2026 01:01:44 -0800 

Fix CVE-2026-23876 with patch provided by NVD advisory.

Link: https://nvd.nist.gov/vuln/detail/CVE-2026-23876

Signed-off-by: Bhabu Bindu <[email protected]>
---
 .../imagemagick/CVE-2026-23876.patch          | 67 +++++++++++++++++++
 .../imagemagick/imagemagick_7.1.1.bb          |  1 +
 2 files changed, 68 insertions(+)
 create mode 100644 
meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch

diff --git 
a/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch 
b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch
new file mode 100644
index 0000000000..d25038e513
--- /dev/null
+++ b/meta-oe/recipes-support/imagemagick/imagemagick/CVE-2026-23876.patch
@@ -0,0 +1,67 @@
+From 2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 Mon Sep 17 00:00:00 2001
+From: Dirk Lemstra <[email protected]>
+Date: Sun, 18 Jan 2026 17:54:12 +0100
+Subject: [PATCH] Added overflow checks to prevent an out of bounds write
+ 
(https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8)
+
+CVE: CVE-2026-23876
+Upstream-Status: Backport 
[https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8]
+Signed-off-by: Bhabu Bindu <[email protected]>
+---
+ coders/xbm.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/coders/xbm.c b/coders/xbm.c
+index a7a798ea168..d6cd5780d44 100644
+--- a/coders/xbm.c
++++ b/coders/xbm.c
+@@ -197,6 +197,10 @@ static Image *ReadXBMImage(const ImageInfo 
*image_info,ExceptionInfo *exception)
+   short int
+     hex_digits[256];
+ 
++  size_t
++    bytes_per_line,
++    length;
++
+   ssize_t
+     i,
+     x,
+@@ -209,8 +213,6 @@ static Image *ReadXBMImage(const ImageInfo 
*image_info,ExceptionInfo *exception)
+   unsigned int
+     bit,
+     byte,
+-    bytes_per_line,
+-    length,
+     padding,
+     version;
+ 
+@@ -345,15 +347,15 @@ static Image *ReadXBMImage(const ImageInfo 
*image_info,ExceptionInfo *exception)
+   if (((image->columns % 16) != 0) && ((image->columns % 16) < 9) &&
+       (version == 10))
+     padding=1;
+-  bytes_per_line=(unsigned int) (image->columns+7)/8+padding;
+-  length=(unsigned int) image->rows;
+-  data=(unsigned char *) AcquireQuantumMemory(length,bytes_per_line*
+-    sizeof(*data));
++  bytes_per_line=(image->columns+7)/8+padding;
++  if (HeapOverflowSanityCheckGetSize(bytes_per_line,image->rows,&length) != 
MagickFalse)
++    ThrowReaderException(CorruptImageError,"ImproperImageHeader");
++  data=(unsigned char *) AcquireQuantumMemory(length,sizeof(*data));
+   if (data == (unsigned char *) NULL)
+     ThrowReaderException(ResourceLimitError,"MemoryAllocationFailed");
+   p=data;
+   if (version == 10)
+-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); (i+=2))
++    for (i=0; i < (ssize_t) length; i+=2)
+     {
+       c=XBMInteger(image,hex_digits);
+       if (c < 0)
+@@ -366,7 +368,7 @@ static Image *ReadXBMImage(const ImageInfo 
*image_info,ExceptionInfo *exception)
+         *p++=(unsigned char) (c >> 8);
+     }
+   else
+-    for (i=0; i < (ssize_t) (bytes_per_line*image->rows); i++)
++    for (i=0; i < (ssize_t) length; i++)
+     {
+       c=XBMInteger(image,hex_digits);
+       if (c < 0)
diff --git a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb 
b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
index 0a1d34e313..abad1fe5d1 100644
--- a/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
+++ b/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb
@@ -27,6 +27,7 @@ SRC_URI = 
"git://github.com/ImageMagick/ImageMagick.git;branch=main;protocol=htt
            file://CVE-2025-65955.patch \
            file://CVE-2026-22770.patch \
            file://CVE-2026-23874.patch \
+           file://CVE-2026-23876.patch \
            "
 SRCREV = "82572afc879b439cbf8c9c6f3a9ac7626adf98fb"
 
-- 
2.34.1


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#124443): 
https://lists.openembedded.org/g/openembedded-devel/message/124443
Mute This Topic: https://lists.openembedded.org/mt/117854163/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to